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Abstract 

Recently, a new domino signal encryption algorithm (DSEA) was proposed for digi- 
tal signal transmission, especially for digital images and videos. This paper analyzes 
the security of DSEA, and points out the following weaknesses: 1) its security against 
the brute-force attack was overestimated; 2) it is not sufficiently secure against 
ciphertext-only attacks, and only one ciphertext is enough to get some information 
about the plaintext and to break the value of a sub-key; 3) it is insecure against 
known/chosen-plaintext attacks, in the sense that the secret key can be recovered 
from a number of continuous bytes of only one known/chosen plaintext and the 
corresponding ciphertext. Experimental results are given to show the performance 
of the proposed attacks, and some countermeasures are discussed to improve DSEA. 
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1 Introduction 



In today's networked world, the security issues become more and more impor- 
tant, so various encrypti on algorithms ha ve been developed to fulfill the needs 
of different applications (Schneier, 1996t ). In recent years. Yen and Guo et al 



propos ed a series of chaos-based^ signal/image encryption schemes (jLi et al 



2nn4bL Sec. 4 4.3), some of which have been broken according to the works 



reported in (|Li and Zhend . I2nn2al lbl: iLi et all bOOSbl l2nn4all(l bOOSah . The 

present paper gives t he cryptanalysis res ults on a new Yen-Guo encryption 
scheme called DSEA (|Yen and GuoL 120031 ). which has not been cryptanalyzed 
before. 



DSEA encrypts the plaintext block by block, which is composed of multiple 
bytes. The first byte of each block is masked by part of the secret key, and 
other bytes are masked by the previous cipher-byte, under the control of a 
chaotic pseudo-random bit sequence (PRBS). That is to say, DSEA works like 
the dominos. This paper analyzes the security of DSEA, and points out the 
following defects: 1) its security against the brute-force attack was overesti- 
mated; 2) it is not sufficiently secure against ciphertext-only attacks, and only 
one ciphertext is enough to get some information about the plaintext and to 
break the value of a sub-key; 3) it is insecure against known/chosen-plaintext 
attacks, in the sense that the secret key can be recovered from a number of 
continuous bytes of only one known/chosen plaintext and the corresponding 
ciphertext. 

The rest of this paper is organized as follows. At first. Sec. 2 gives a brief 
introduction to DSEA. Then, the cryptanalysis results are presented in detail 
in Sec. 3, with some experimental results. Section 4 discusses how to improve 
DSEA. The last section concludes the paper. 



2 Domino Signal Encryption Algorithm (DSEA) 



Assume that the plaintext is g = {g{n)}^SQ^ and that the ciphertext is g' = 
{g'{n)}^lrQ^ , where g{n) and g'{n) denote the n-th. plain-byte and cipher-byte, 
respectively. Then, the encryption procedure of DSEA can be described as 
follows (see also Fig. 1). 

• The secret key: two integers, L G {1, ■ ■ ■ , M}, initiaLkey G {0, ■ ■ ■ , 255}, 



^ Chaos i s a dynamical p henomenon demonstrated in many dynamical systems 
( Devanev , 19891 : Had . 19931 ^ . Due to the tight relationship between chaos and cryp- 
tography, chaotic systems have been used to de sign e ncryption schemes since 1990s. 
For a survey of digital chaotic ciphers, see III, hooi . Chap. 2). 
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initial_key 



n mod L = 
< 



delay 



b{n) = \ 



Chaotic 
System 



< — x{Q) 



Fig. 1. The diagrammatic view of the encryption procedure of DSEA. 



the control paramet er u and the initial condi tion x(0) of the following 
chaotic Logistic mapl Devanev . 19891: Haol 1993| ): 



x{k + l)= ^i- x{k) ■ (1 - x{k)). 



The initialization procedure: under 8-bit finite computing precision, run the 
Logistic map from x(0) to generate a chaotic sequence {x(/c)}[*^q^^~^, and 
then extract the 8 significant bits of x{k) to yield a PRBS {h{n)}n=o-: where 
x{k) = Elo [hk+^ ■ 2^(*+^)) = 0. Wo ■ ■ ■ 
The encryption procedure: for r;, = 0~M — 1, do 



9 [n) 



g{n) ® true-key, h{n) = 1, 
g{n) ® true-key, h{n) = 0, 



where 



true-key 



{initial -key , n mod L = 0, 
g'{n — 1), n mod L 7^ 0, 



and © denotes the bitwise XOR operation. 



The decryption procedure is identical with the above encryption procedure, 
since XOR is an invertible operation. 



3 



3 Cryptanalysis 



3.1 Brute-force attack 



The brute-force attack is the at tack of exhaust ively searching the secret key 
from the set of all possible keys ( Schneier . 19961 ). Apparently, the attack com- 
plexity is determined by the size of the key space and the complexity of ver- 
ifying each key. The secret key of DSEA is {L,initiaLkey, ^,x{0)), which 
has M ■ 2^'^ = M ■ 2^^ possible values. Taking the complexity of verifying 
each key into consideration, the total complexity of searching for all possi- 
ble keys is O (2^^ ■ M^). When the plaintext is selected as a typical image of 
size 256 x 256, the complexity will be 0(2^^), w hich is much s malle r than 
0(2^ ■ M) = 0{2^^^^^), the complexity claimed in (lYen and GuoL 120031 ). Note 
that the real complexity is even small er since not all values of u can en- 
sure the chaoticity of the Logistic map (iDevanevl . ITiii \hH Il993[ ). That is, 
the security of DSEA against brute-force attacks was over-estimated much in 
( Yen and Gul . l2003l ). . n today's digitized and networked world, the complex- 
ity of order 0(2^^^) is required for a cryptographically-strong cipher ((Schneier, 
1996| ). which means DSEA is not practically secure. 



3.2 Ciphertext-only attacks 



Ciphertext- only attacks ar e such attacks in which one can access a set of 
ciphertexts (Schneier, 1996| ). Since the transmission channel is generally inse- 



cure, the security against ciphertext-only attacks are required for any ciphers. 
However, it is found that DSEA is not sufficiently secure against ciphertext- 
only attacks, since much information about the plaintext and the secret key 
can be found from even one ciphertext. 

Given an observed ciphertext g', generate two mask texts, Qq and gl, as follows: 
g*iO) = 0, gm = 0,Vn = l~M-l, g*in) = g'in) ® g'{n - 1), gl{n) = 
g'{n) ® g'{n — 1). From the encryption procedure of DESA, it can be easily 
verified that the following result is true when n mod L 7^ 0: 




0, 
1, 



which means that g{n) is equal to either 5'o(n) or gl{n). Assuming that each 
chaotic bit distributes uniformly over {0, 1}, one can deduce that the percent- 
age of right plain-pixels in g^ and gl is not less than ■ ^ = \ — When L 
is large, about half pixels in g^ and gl are plain-pixels in g, and it is expected 
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that some visual information of the plain-image can be distinguished from 
and gl. 



To verify the above idea, one 256 x 256 image, "Lenna" , has been encrypted to 
get (7q and gl, with the following secret parameters: L = 15, initiaLkey = 170, 
= 251/2*^ ^ 3.9219, x(0) = 69/2^ ^ 0.2695. The experimental results are 
shown in Fig. 2. In g^ there are 27726 pixels that are identical with those in 
g, and in gl there are 33461 such pixels. Observing Figs. 2 c and d, one can 
see that the plain-image roughly emerges from both g^ and gl- 




a) The plain-image g 



b) The cipher-image g' 





c) The mask image g^ d) The mask image gl 

Fig. 2. A ciphertext-only attack to DSEA. 

In addition, from either g^ or gl, it is possible to directly get the value of 
L, if there exists strong correlation between adjacent bytes of the plaintext 
(speeches and natural images are good examples). This is due to the proba- 
bility difference existing between the following two kinds of plain-bytes: 

• when n mod L ^ 0, g^in) = g{n) and gl{n) = g{n) with a probability of |; 

• when n mod L = 0, gQ{n) = g{n) and gl{n) = g{n) with a probability^ of 



^ Without loss of generality, it is assumed that each cipher-byte distributes uni- 
formly in {0, • • • , 255}. 
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a) 9lo b) 
Fig. 3. The differential images of and g^. 



^Igi gain) = g{n) if and only if g'{n — 1) = initiaLkey; gliji) = g{n) if and 
only if g'{n — 1) = initial -key . 

When there exists strong correlation between adjacent bytes, the above prob- 
ability difference implies that there exists strong discontinuity around each 
position satisfying n mod L = (with a high probability). The fixed occur- 
rence period of such discontinuous bytes will generate periodically-occurring 
straight lines in the mask text when it is an image or displayed in 2-D mode, 
as shown in Figs. 2c and d. Then, it is easy to determine the occurrence pe- 
riod, i.e., the value of L, by checking the horizontal distance between any 
two adjacent lines. To make the straight line clearer, one can calculate the 
differential images of g^ and g^, as shown in Fig. 3, where the differential 
image of an image g = {(7(n)},^fj^^ is defined as follows: gd{0) = g{0) and 
Vn = l~M — 1, gd{n) = \g{n) — g{n — 1)|. Note that the two differential im- 
ages of g^ and gl are identical according to the following theorem, from which 
one can get that \gQ{n)-gQ{n-l)\ = \g'{n)®g'{n - l)-g'{n-l)®g'{n - 2)| = 
\g\n) ® g\n - 1) - g'{n - 1) © g'{n - 2) | = \gl{n) -gl{n-l)\. 

Theorem 1 For any three s-bit integers, a, b, c, it is true that |(a © 6) — (6 © 
c)| = \{a®b) - (6©c)|. 

Proof: Introduce four new variables, A = a ® b, B = b (B A' = a ®b, 
B' = b ® c. It can be easily verified that A' = A and B' = B, since a © 6 = 
a ® b ® b ®b = a ® b ® {2' - 1) = a®b. That is, (a © 6) - (6 © c) = A- B 
and (a © 6) - (6 © c) = A - fi. Let A = (Ao ■ ■ ■ A,^^)^ = E-=o ■ 2\ B = 
(5o ■ ■ ■ 5,„i)2 = E'=o ■ 2\ Since V A^,, B, e {0, 1}, - 5, = - A„ it is 
obvious that A-B = Ei=o(A - ^i) ■ 2* = Ei=o(5i - A^) ■ 2^ = E - A. As a 
result, |(a©6) - (6©c)| = \A- B\ = \B -A\ = \A-B\ = \{a®b) - (6©c)|, 
which completes the proof. ■ 
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Fig. 4. The enhanced differential image g^. 



3.3 Known/chosen-plaintext attacks 



Known/chosen-plaintext attacks are such attacks in which one can access/cho ose 
a set of plaintexts and observe the corresponding ciphertexts ( Schneier . 1996t ). 



In today's networked world, such attacks occur more and more frequently. 
For a cipher with a high level of security, the security against both known- 
plaintext and chosen-plaintext attacks are required. Although it was claimed 
that DSEA can resist this kind of attacks ( Yen and Guol 20031 Sec. IV. B), we 



found this claim is not true: with a limited number of continuous plain-bytes 
of only one known/chosen plaintext, one can completely break the secret key 
to decrypt other unknown plain-bytes of the known/chosen plaintext and any 
new ciphertexts encrypted with the same key. Apparentl y, even when the se- 
cret key is changed for each plaintext (as mentioned in (lYen and GuoL 1200.1 



Sec. IV. B)), DSEA is insecure against known/chosen-plaintext attacks. In the 
following, let us discuss how to break the four sub-keys, respectively. 

1) Breaking the sub-key L: as mentioned above, once one gets a ciphertext, 
he can easily deduce the value of L by observing the periodically-occurring 
straight lines in the two constructed mask texts, Qq and g^. Furthermore, since 
the plaintext is also known, it is possible to generate an enhanced differential 
image, g^, as follows: ^'^(O) = 0, and V?t, = 1~M — 1, 

X ; 0' 9{n) e {g*Q{n),gl{n)}, 
' \255, gin)^{g*in),glin)}. ^ ^ 

See Fig. 4 for the enhanced differential image corresponding the cipher-image 
shown in Fig. 2b. Compared with Fig. 3, one can see that the straight lines 
become clearer. 

2) Breaking the initial _key : for all values of n that satisfy n mod L = 0, it is 
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obvious that 



. ... , , ,9in)®g'{n), b{n) = 1, 

imtiaL-key = < — — ^ ^ (4) 

\{n)®g'{n), b{n) = 0. ^ ' 



Note that it is possible to uniquely determine the value of initiaLkey , when 
there may exist pixels satisfying n mod L = and g^{n) = 0, i.e., g{n) G 
{9o{n),gi{n)} = {g'{n)®g'{n-l),g'{n)®g'{n-l)y Considering g'{n) = 
g{n) © initial _key, one can immediately deduce that 

. ... , , {g'{n-l), g{n)=gl{n), 

imnal-key = < — (5j 

U'(n-l), g{n)=g*o{n). 



3) Breaking the chaotic PRBS and the other two sub-keys: once L and initial Jtey 
have been determined, the chaotic PRBS, {b{n)}^SQ , can be immediately de- 
rived as follows: 

• when n mod L 7^ 0: if g{n) = gl{n) then b{n) = 0, else b{n) = 1; 

• when n mod L = 0: if initialJzey = g{n)(Bg'{n) then b{n) = 1, else b{n) = 0. 

Once is uniquely determined, x{Q) = 0.6(0) ■ ■ ■b{7) can be imme- 

diately recovered. 

With 16 consecutive chaotic bits, b{8k + 0) ~ b{8k + 15), one can further 
derive two consecutive chaotic states: x{k) = 0.b{8k + 0) ■ ■ -6(8^; + 7) and 
x{k + 1) = 0.b{8k + 8) ■ ■ ■ b{8k + 15), and then derive an estimation of the 
sub-key /i as 

^ ^ x{k + l) 

^ x{k)-{l-x{k))' 
Due to the quantization errors introduced in the finite-precision arithmetic, 
generally x{k + 1) 7^ /i ■ x(k) ■ (1 — x(k)) , so /i 7^ /i. Fortunately, following 
the error analysis of Jl in ()Li et al. . 2004al Sec. 3.2), the following result has 



been obtained: when x{k + 1) > 2"" (n = 1 ~ 8), |/i - /i| < 2'"+^ ■ 2"^ 
Specially, when x{k + 1) > = 0.5, \J1 — fi\ < 2'^ ■ 2~^, which means that 
one can exhaustively search for 2^ = 16 values in the neighborhood of Jl to 
find the right value of fi. To verify which searched value is the right one, one 
can iterate the Logistic map from x{k + 1) for some times to get some new 
chaotic states and then check the coincidence between these chaotic states and 
corresponding recovered chaotic bits. 

With the above steps, the whole secret key {L, initial _key, n, x{0)) can be 
recovered, and then be used for decryption. For the plain-image "Lenna", a 
breaking result is shown in Fig. 5. It can be verified that the complexity of the 
known/chosen-plaintext attacks is only 0{M), which means a perfect breaking 
of DSEA. 
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Fig. 5. The recovered plain-image of "Lenna" in a known-plaintext attack. 
4 Improving DSEA 



In this section, we study some possible remedies to DSEA to resist the pro- 
posed attacks. It is concluded that DSEA cannot be simply enhanced to resist 
known/chosen-plaintext attacks. 

To ensure the complexity of the brute-force attack cryptographically large, the 
simplest idea is to increase the presentation precision of x(0) and fi. Binary 
presentations of a;(0) and with 64-bit (long integers) are suggested to provide 
a complexity not less than 0(2^^^) against the brute-force attack. 

Apparently, the insecurity of DSEA against ciphertext-only and known/chosen- 
plaintext attacks is mainly due to the invertibility of XOR operations. This 
is actually the weakness of all XOR-based stream ciphers. To make DSEA 
securer, one has to change the encryption structure and/or the basic masking 
operations, in other words, one has to design a completely new cipher, instead 
of enhancing DSEA to design a modified cipher. 



In addition, there exists a special flaw in DSEA. According to Q 1200.1 Sec. 



2.5), when a chaotic system is implemented in s-bit finite computing precision, 
each chaotic orbit will lead to a cycle whose length is smaller than 2* (and gen- 
erally much smaller than 2*). Figure 6a shows the pseudo-image of the chaotic 
PRBS recovered in a known-plaintext attack. It is found that the cycle of the 
chaotic PRBS is only 2^ = 64 and the period of the corresponding chaotic 
orbit is only 2'^ = 8. Such a small period of the chaotic PRBS will make all 
attacks easier. To amend this defect, using a higher implementation precision 
or floating-point arithmetic is suggested. Figure 6b gives the pseudo-image 
of the chaotic PRBS when the chaotic states are calculated under double- 
precision floating-point arithmetic. It is obvious that the short-period effect 
of the chaotic PRBS is effectively avoided. 
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a) 8-bit fixed-point arithmetic b) double-precision 

floating-point arithmetic 

Fig. 6. The pseudo-image of the chaotic PRBS, under two different finite-precision 
arithmetics. 

5 Conclusion 



In this paper, the security o f a recently-proposed signal security system cahed 
DSEA (lYen and Gu^ |2003[ ) has been studied in detail. It is pointed out that 
DSEA is not secure enough against the following attacks: the brute-force at- 
tack, ciphertext-only attacks, and known/chosen-plaintext attacks. Experi- 
mental results are also giyen to support the theoretical analysis. Also, some 
remedies of enhancing the performance of DSEA are discussed. As a conclu- 
sion, DSEA is not suggested in serious applications requiring a high level of 
security. 
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